Overview

overview

10

Static

static

369b837d2a...39.exe

windows7_x64

10

369b837d2a...39.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    17-02-2022 03:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    369b837d2a43020353233d28b132827efd0fc311b3b56f25aa1b9ba5b209a539.exe

  • Size

    1.9MB

  • MD5

    31d419dcf1a407ca78a912fec4369155

  • SHA1

    148931fc3308f19f113500932f0f50ea23bbf83d

  • SHA256

    369b837d2a43020353233d28b132827efd0fc311b3b56f25aa1b9ba5b209a539

  • SHA512

    aa844c1b84c83e29f6dbe281a08a8bd0af1587a7c4db26ba36bae1f00947da99afaeb7ccb967e5fa3f7f0d0a24bd8bbc9636385ac5f32de238dfd3a519b8bf98

Score
10/10
shurkevasioninfostealerspywarestealertrojan

Malware Config

Signatures

  • Shurk

    Shurk is an infostealer, written in C++ which appeared in 2021.

    infostealershurk
  • Shurk Stealer Payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Executes dropped EXE 2 IoCs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\369b837d2a43020353233d28b132827efd0fc311b3b56f25aa1b9ba5b209a539.exe
    "C:\Users\Admin\AppData\Local\Temp\369b837d2a43020353233d28b132827efd0fc311b3b56f25aa1b9ba5b209a539.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\vbs.vbs"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c bat.bat
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1048
        • C:\Users\Admin\AppData\Local\Temp\Hack.sfx.exe
          Hack.sfx.exe -pDSBFISDHFUOHSDUOFHUO182734198276491KHASCFGBAJJHJDFGA -dC:\Users\Admin\AppData\Local\Temp
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:956
          • C:\Users\Admin\AppData\Local\Temp\Hack.exe
            "C:\Users\Admin\AppData\Local\Temp\Hack.exe"
            5⤵
            • Executes dropped EXE
            • Checks BIOS information in registry
            • Identifies Wine through registry keys
            • Checks whether UAC is enabled
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious behavior: EnumeratesProcesses
            PID:596

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/596-73-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-83-0x0000000000870000-0x0000000000871000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-70-0x00000000005D0000-0x00000000005D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-71-0x0000000000860000-0x0000000000861000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-68-0x0000000077330000-0x0000000077332000-memory.dmp

    Filesize

    8KB

    Download

  • memory/596-72-0x00000000007B0000-0x00000000007B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-90-0x0000000000790000-0x0000000000791000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-74-0x00000000006F0000-0x00000000006F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-75-0x00000000005A0000-0x00000000005A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-77-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-76-0x0000000000151000-0x0000000000196000-memory.dmp

    Filesize

    276KB

    Download

  • memory/596-78-0x00000000007A0000-0x00000000007A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-79-0x0000000000770000-0x0000000000771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-81-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-80-0x0000000000780000-0x0000000000781000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-82-0x0000000000730000-0x0000000000731000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-69-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-84-0x0000000000880000-0x0000000000881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-85-0x00000000005B0000-0x00000000005B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-86-0x0000000000750000-0x0000000000751000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-87-0x0000000000700000-0x0000000000701000-memory.dmp

    Filesize

    4KB

    Download

  • memory/596-88-0x0000000000720000-0x0000000000722000-memory.dmp

    Filesize

    8KB

    Download

  • memory/596-89-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1568-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

    Filesize

    8KB

    Download